SANS ISC InfoSec Forums

A few times a year, we can read in the news that a rogue root certificate was installed without the user consent. The latest story that pops up in my mind is the Savitech audio drivers which silently installs a root certificate[1]. The risks associated with this kind of behaviour are multiple, the most important remains performing MitM attacks. New root certificates are not always the result of an attack or infection by a malware. Corporate end-points might also get new root certificates. Indeed, more and more companies are deploying SSL inspections tools. It could be interesting to keep an eye on what’s happening in your certificate store. On Windows systems, there is a GUI tool for this purpose, that you can call from the command line:

PC C:\Users\xavier> certmgr.msc

Or, from the Control panel ("Manager User/Computer Certificated"):

A GUI is nice but the power of the command line is better! We can also interact with the certificate store via PowerShell. PowerShell has a virtual drive ‘CERT:’ that allows interacting with the certificate store. Here are some examples of commands:

What I'm doing on my test computers, I'm running a quick PowerShell script that collects details for all the certificates installed in the store, computes a SHA256 hash of the results and compares it with the hash generated by the last execution. Schedule it at a regular interval (ex: once a day). It will display information on the console but also create a specific Windows Event in the Application log:

> A few times a year, we can read in the news that a rogue root certificate was installed without the user consent.

You mean like how Windows will automatically and silently install root certificates that you have manually removed? Thankfully we run an HTTPS intercept proxy so the real certificate store used by our workstations for Internet access is the one on the proxy and not the one in Windows.